Sunday, May 29, 2011

I saw a post over on Technology Forensics, LLC's blog on the topic of whether an IP (internet protocol) address from a wireless router should be enough to show probable cause to issue a warrant.

I can kind if see where they are going, but whether or not a warrant is issued for any IP address is not really the issue. Whether or not the wireless connection is unsecured or not is not really the issue either or even whether the connection is wireless or wired.

To obtain a warrant to search a home, business, person vehicle or other location, the police have to establish "probable cause". Probable cause in legal terms is defined as:

"A reasonable belief that a person has committed a crime. The test the court of appeals employs to determine whether probable cause existed for purposes of arrest is whether facts and circumstances within the officer's knowledge are sufficient to warrant a prudent person to believe a suspect has committed, is committing, or is about to commit a crime. U.S. v. Puerta, 982 F.2d 1297, 1300 (9th Cir. 1992). In terms of seizure of items, probable cause merely requires that the facts available to the officer warrants a "man of reasonable caution" to conclude that certain items may be contraband or stolen property or useful as evidence of a crime. U.S. v. Dunn, 946 F.2d 615, 619 (9th Cir. 1991), cert. Denied, 112 S. Ct. 401 (1992)." http://www.lectlaw.com/def2/p089.htm

Because of the way that networking technology works, the issue might be to determine just how far probable cause should extend beyond the IP address.

I'm no lawyer, so I am just going to explore this from a practical standpoint of how probable cause is developed in cases involving the Internet that lead to a search warrant being issued, and some points on how the search and seizure should be limited based on the kind of probable cause established in an Internet investigation where the target address is developed from an IP address.

First, it must be understood that an IP address is not the Internet address of a particular computer in most instances, but is the Internet address of a router. A router is a device that allows multiple computers to use a single Internet connection, i.e. a single IP address, to connect to the Internet.

When the router happens to be a wireless router, then multiple computers can connect to the Internet via that wireless router from some distance, without ever being in or on the premises that house the wireless router.

How Probable Cause is Developed - File Sharing.

Internet investigations into the sharing of child pornography are cases where probable cause is developed entirely though technology. Using software to locate child porn files on the peer to peer networks, the investigator will use the IP address advertised by the file sharing client to perform a look up to see where the IP address is located and also to get the owner of the IP address. By owner, I mean who has the right to allow someone to use the IP address, which is going to be an Internet Service Provider (ISP). When the investigator finds out the owner information the next step is to issue a subpoena to the ISP to get the account information for the subscriber who is assigned that IP address.

At this point for the purpose of probable cause, the presumption has to be that the physical address of the person who pays the bill for the Internet account that was using the IP address at the time of the investigation is also where the computer will be found that is doing the sharing.

Of course, if the address happens to be a 500 room hotel, then that could be an issue since it might be a stretch to storm the hotel and seize every computer from everyone on the premises including employees and guests. Yet when a search warrant is executed on a house, the same thing happens on a smaller scale. Every computer is seized independent of whether or not there is any evidence at all that one of those computers is the one doing the sharing. Additionally, the way the warrants are worded, anything else can also be seized such as video tapes, CDs, DVDs, magazines, sticky notes, manuals, and the list goes on. Police even seize the computer mouse, keyboard, monitor, and the power supply, items that are pretty unlikely to contain any evidence.

One question that should be raised is whether or not the probable cause developed for an IP address is enough to permit wholesale seizure of computers and storage devices without any idea which if any of them might be the instrument of the suspected crime.

It is not a difficult task, from a technology standpoint, to determine quickly which computer, if any was actually the one that the investigator saw sharing on the Internet. They have the tools in hand to get the GUID if the sharing computer during the investigation. Checking the computers to locate that GUID is simple and fast, thus avoiding having to seize every computer on the premises.

The argument could be made that the software used during the online investigation is acting as an electronic "informant" by telling the investigator the location of the computer doing the sharing. The problem with that argument is the the informant in such a case would not actually know the location of the computer with any more precision than the location of the router in that 500 room hotel. In order for the informant to be a reliable source, it should have to be able to pinpoint the room, not just the hotel.

Another issue that really should be addressed is the fact that computers are closed containers. You cannot tell by looking at them if they contain any evidence at all related to an investigation. So should it be correct that all of the closed containers should be seized and broken open and searched? Here is another analogy to consider. An informant tells an investigator that crack cocaine is present in a car in a parking lot. The information can only provide the address of the parking lot, and nothing about the car that might contain the cocaine.

Since the parking lot is like the router, i.e. lots of cars can park in a parking lot and the address of the lot is only going to get you to a whole bunch of cars, not a particular car; does it make sense to impound and search every car on the lot based on the probable cause that a car parked in the lot might contain cocaine? Shouldn't the probable cause for the warrant specify a particular car, or at least a description of a car that would prevent the wholesale seizure and subsequent search of all the cars? To equate it back to the Internet investigation, the car's license tag number would be the same as the GUID of the file sharing client on computer that was seen sharing on the Internet. Simple and easy to check to attempt to get the right car, not just all cars or the right computer and not just all computers.

Wednesday, May 4, 2011

Image via WikipediaNearly everyone is going wireless these days. It is just more convenient to have the ability to walk around the house with your iPad, use your laptop in a room where no cable connection exists, and is a lot cheaper than running network cable though the house or office.

What amazes me is how many open hotspots there are still around. With all the news about security issues, bandwidth stealing, and even false allegations of child porn downloading, you would think that securing your home or business wireless would be JOB #1. But in many cases it isn't.

I can be riding in a car working on my laptop and as we travel down the interstate, run around town or even drive through the rural areas, I get wireless availability notices if I don't bother to turn off my wireless on the laptop. Out of curiosity, I occasionally pop up the little "connection available" window and take a look at nearby wireless hotpots.

What I see is that there are still a lot of unsecured wireless routers out there. I have to smile when I see an unsecured wireless with names like, "dontstealmyinternet" or "nointernetforyou" and they are sitting there open to connections.

On the other hand, being in an area with random unsecured wireless routers can also be annoying. Even today, the wireless networking in your computer wants to connect to wireless, even wireless you don't have any right to. And, if the signal for an unsecured hotpot is stronger than one that you should be on, you can inadvertently make a connection.

Occasionally I get a call from a friend or client asking me to help with their wireless connection being slow and causing issues. When I check, I see they have accidentally connected to the neighbor's wireless, or even more concerning to a small business wireless with no security.

Once your laptop or wireless device gets a connection, it will keep it even it if it not the best connection. In other words, once it connects, it wants to hang on to that connection rather than always making sure that you are connected to the best source or the correct source for the wireless.

You can mitigate that some by setting your wireless properties on your computer to only connect to "preferred" wireless.

If you are planning on, or already have a wireless router in your home of business, make sure that it is secured, is using at least WPA2 security and has a strong password.

If you are a do-it-yourself person and you are not sure how to make this a certainty, call someone you know who can handle it for you.

You don't want to end up like this guy.

"BUFFALO, N.Y. — Lying on his family-room floor with assault weapons trained on him, shouts of "pedophile!" and "pornographer!" stinging like his fresh cuts and bruises, the Buffalo homeowner didn't need long to figure out the reason for the early-morning wake-up call from a swarm of federal agents.That new wireless router. He'd gotten fed up trying to set a password. Someone must have used his Internet connection, he thought."We know who you are! You downloaded thousands of images at 11:30 last night," the man's lawyer, Barry Covert, recounted the agents saying. They referred to a screen name, "Doldrum.""No, I didn't," the man insisted. "Somebody else could have but I didn't do anything like that." "You're a creep ... just admit it," they said"False porn accusations underscore Wi-Fi privacy dangers

And her is report is right on the money. The value of text messages in criminal cases cannot be denied. They can be critical on both sides of the case.

The fact that the cellular carriers like Verizon, Sprint, AT&T, etc. don't keep them for any period of time is even more of an issue for the defense where they may not even know of the need of text message preservation for several months after a crime occurred.

The good news / bad news is that text messages, even deleted ones, can be retrieved from the phones themselves in some cases.

But that is not always the case, nor even the most common scenario. Much of the time cell phones are not collected and preserved properly, leading to the loss of valuable data that can be used in cases.

If you are an attorney and have a client contact you with a case involving text messages, civil or criminal, a couple of things should probably happen:

One: If the incident is recent enough or you have an ongoing situation involving text messages, it may be a good idea to issue a preservation order to the carrier so they stop purging them.

Two: Take immediate steps to preserve the evidence on the phone by having a qualified cell phone forensics expert collect the data from the unit.

If you have a case where neither of the above occurred, all is not lost; Have the phone examined to see if the deleted messages can be retrieved. Even still, time is of the essence since deleted text messages do not remain forever on a cell phone. They should be collected right away. Not all phones allow for the retrieval of deleted text messages. Your cell phone examiner can tell you if the phone is supported for retrieval of deleted text messages in most cases. However, due to the nature of cell phone forensics today, sometimes the only way to know if deleted text messages can be retrieved from a particular phone is to make the attempt using forensic tools.

Processing a cell phone is not expensive or very time consuming. It is well worth the investment if you need to preserve evidence in case.

About EX FORENSIS

This is where I share my thoughts on the digital forensics field, talk about recent court rulings that impact digital forensics and anything else that comes to mind; mostly serious, sometimes not so much.

All writings on this blog are the original works of the author, Larry E. Daniel, unless otherwise stated, and are subject to the copyright laws of the United States.

Disclaimer

I am not an attorney. Nothing I post in this blog is intended to be, nor should be considered as legal advice. If you have a legal question you should seek the services of a licensed attorney in your area. Guest authors or others who are invited to post here are covered by the same disclaimer. Nothing on this blog is legal advice.